Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

It calls itself AntiMalware, but I don't believe it...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Re: It calls itself AntiMalware, but I don't believe it...

Unread postby jmw3 » September 12th, 2009, 10:01 pm

Hi

TFC (Temp File Cleaner)
Download TFC (Temp File Cleaner) by Old Timer Here & save it to your desktop.
  • Save any unsaved work. TFC Cleaner will close all open application windows
  • Double-click TFC.exe to run the program, your desktop will temporarily disappear
  • If prompted, click Yes to reboot
Note: Save your work.. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take any longer than a couple of minutes & may only take a few seconds. Only if needed will you be prompted to reboot.

CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all
SecCenter::
SP: AntiMalware *enabled* (Updated) {A22E352E-8ADD-4EE0-87EA-81874CE74BEE}
Folder::
c:\program files\FrostWire
c:\users\steven and matt\AppData\Roaming\AntiMalware
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{674AB179-CC90-4AB2-875C-7EC4F5780D74}c:\\program files\\bearshare applications\\bearshare\\bearshare.exe"=-
"UDP Query User{37FA1AA0-D1E3-4CCF-9119-C25AB9E79064}c:\\program files\\bearshare applications\\bearshare\\bearshare.exe"=-
"{A57D4A9B-DDE3-4717-A32A-AAEA7B7D474D}"=-
"{27CD136F-BFA9-4096-B95D-7A9EF0480EAC}"=-
DDS::
IE: &Search

Save this as CFScript.txt, in the same location as ComboFix.exe

Image

Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Kaspersky Online Scan
Right click on your favourite web browser (Internet Explorer, Firefox, etc) and select Run As Administrator to run it
Go to Kaspersky website and perform an online antivirus scan
  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan
  • Once the scan is complete, it will display the results. Click on View Scan Report
  • You will see a list of infected items there. Click on Save Report As...
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply
Pictured tutorial if required.

To post in next reply:
ComboFix log
Kaspersky Scan log
new HijackThis log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Top
Advertisement
Register to Remove

Re: It calls itself AntiMalware, but I don't believe it...

Unread postby Pi&Chips » September 13th, 2009, 11:35 am

Hi

Sorry, that took a while, but here are the logs - ComboFix, Kaspersky, HijackThis - as requested...

ComboFix 09-09-11.03 - steven and matt 13/09/2009 13:14.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1022.367 [GMT 1:00]
Running from: c:\users\steven and matt\Desktop\ComboFix.exe
Command switches used :: c:\users\steven and matt\Desktop\cfscript.txt
SP: AntiMalware *enabled* (Updated) {A22E352E-8ADD-4EE0-87EA-81874CE74BEE}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\FrostWire
c:\program files\FrostWire\01-mariah_carey-migrate_(featuring_t-pain).mp3
c:\program files\FrostWire\Akon - Convicted - 10 - Keep On Calling (Ft. P. Money).mp3
c:\program files\FrostWire\Boys 2 Men - Boyz II Men - I ll Make Love to You.mp3
c:\program files\FrostWire\Boys 2 Men - Its So Hard To Say Goodbye To Yesterday - Boyz II Men - Unknown.mp3
c:\program files\FrostWire\Boyz II Men - Boys 2 Men- End of the Road.mp3
c:\program files\FrostWire\Brit & Alex - Let It Go.mp3
c:\program files\FrostWire\Dj Ironik - One Night.mp3
c:\program files\FrostWire\DJ Ironik - So Amazing.mp3
c:\program files\FrostWire\DJ Ironik - Trust.mp3
c:\program files\FrostWire\DJ Ironik - Wifey Riddem.mp3
c:\program files\FrostWire\Dj ironik ft Wiley - please dont goo.mp3
c:\program files\FrostWire\DJ Ironik Ft. Voltage - Everytime We Touch.mp3
c:\program files\FrostWire\Ghostt - No1 Fan.mp3
c:\program files\FrostWire\Lethal Bizzle - Fire.mp3
c:\program files\FrostWire\Lethal Bizzle - Haters.mp3
c:\program files\FrostWire\Lethal Bizzle ft Kate Nash - Look What You've Done .mp3
c:\program files\FrostWire\Lil Mama ft. TPain & Chris Brown - Shawty Get Loose.mp3
c:\program files\FrostWire\log.txt
c:\program files\FrostWire\Madonna Ft Justin Timberlake - 4 Minutes (Prod. Timbaland-2008)(1).mp3
c:\program files\FrostWire\Mariah Carey - Butterfly.mp3
c:\program files\FrostWire\Mariah Carey - E=MC2 - bye bye.mp3
c:\program files\FrostWire\Mariah Carey - I don't wanna cry.MP3
c:\program files\FrostWire\nokia charger wire skepta.mp3
c:\program files\FrostWire\Pink - Family Portrait.mp3
c:\program files\FrostWire\Pokemon Soundtrack.mp3
c:\program files\FrostWire\Rihanna - Take a bow.mp3
c:\program files\FrostWire\seenMessages.dat
c:\program files\FrostWire\Skepta- Slewin' everyone.MP3
c:\program files\FrostWire\Skepta - Nokia Charger Wire.mp3
c:\program files\FrostWire\Skepta - Oh My Diddy.mp3
c:\program files\FrostWire\Skepta_-_Nokia_Charger_Wire.mp3
c:\program files\FrostWire\Wiley - Wearing My Rolex .mp3
c:\program files\FrostWire\Will.I.Am (Feat. Cheryl Cole) - Heartbreaker.mp3
c:\users\steven and matt\AppData\Roaming\AntiMalware
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-10 12-05-540.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-10 14-18-400.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-10 20-30-320.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-11 09-27-060.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-11 15-11-510.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-12 08-54-390.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-12 13-34-170.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-12 18-45-440.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-12 19-39-560.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-13 10-18-100.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-13 15-27-280.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-13 17-05-500.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-13 22-19-400.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-14 09-21-360.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-14 16-04-560.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-14 23-34-390.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-15 10-33-330.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-15 18-29-200.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-16 08-33-220.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-16 13-39-380.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-16 17-12-400.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-16 20-37-420.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-16 23-46-230.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-17 13-28-060.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-17 18-21-190.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-17 22-09-160.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-18 08-50-460.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-18 17-40-050.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-18 22-44-220.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-19 10-05-170.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-19 17-49-110.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-19 21-03-340.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-20 10-50-530.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-20 14-03-390.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-20 20-01-470.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-21 10-47-040.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-21 14-24-120.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-21 20-05-070.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-22 10-46-080.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-22 11-50-000.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-22 14-08-430.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-22 18-50-320.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-22 22-04-410.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-23 10-11-240.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-23 16-52-480.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-27 10-36-020.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-27 12-47-160.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-27 18-01-270.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-28 10-24-250.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-28 15-42-330.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-28 18-01-540.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-28 20-43-260.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-29 11-28-040.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-29 12-06-210.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-29 13-34-180.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-29 20-45-220.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-29 23-09-490.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-30 10-17-010.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-31 10-30-010.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-31 14-27-190.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-31 17-48-580.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-07-31 19-53-550.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-01 09-13-030.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-01 11-43-200.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-01 14-11-400.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-01 14-32-210.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-01 17-58-070.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-01 22-46-590.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-01 23-14-480.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-17 10-14-590.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-17 13-59-260.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-18 10-11-460.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-18 13-05-510.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-18 20-40-000.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-18 20-49-180.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-19 08-55-160.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-19 14-03-270.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-19 20-42-530.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-20 10-04-570.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-20 21-37-440.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-21 00-22-530.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-21 10-52-150.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-21 12-30-050.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-21 19-00-490.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-21 20-53-110.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-22 13-15-540.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-22 15-05-090.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-22 17-35-150.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-22 17-40-520.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-22 21-03-060.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-23 00-33-040.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-23 00-37-390.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-23 00-39-470.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-23 00-43-550.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-23 10-15-540.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-23 13-13-500.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-23 14-29-000.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-23 14-36-310.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-23 17-09-430.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-23 17-19-250.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-24 08-41-190.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-24 14-58-300.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-24 15-40-220.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-29 13-30-210.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-29 14-38-420.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-31 10-34-040.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-31 10-46-010.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-31 11-47-270.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-08-31 11-58-260.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-09-03 10-24-530.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-09-03 10-32-200.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-09-03 11-12-230.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-09-04 17-44-470.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-09-04 18-24-190.log
c:\users\steven and matt\AppData\Roaming\AntiMalware\Logs\2009-09-07 14-56-370.log

.
((((((((((((((((((((((((( Files Created from 2009-08-13 to 2009-09-13 )))))))))))))))))))))))))))))))
.

2009-09-13 12:25 . 2009-09-13 12:25 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-09-13 12:25 . 2009-09-13 12:25 -------- d-----w- c:\users\Phil\AppData\Local\temp
2009-09-13 12:25 . 2009-09-13 12:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-12 16:20 . 2009-09-13 12:25 -------- d-----w- c:\users\steven and matt\AppData\Local\temp
2009-09-11 13:00 . 2009-09-12 16:09 -------- d-----w- C:\Kontiki
2009-09-11 10:53 . 2009-09-11 10:53 -------- d-----w- c:\windows\Sun
2009-09-11 09:41 . 2009-09-11 09:41 -------- d-----w- c:\program files\iPod
2009-09-11 09:41 . 2009-09-11 09:42 -------- d-----w- c:\program files\iTunes
2009-09-11 08:30 . 2009-09-11 08:30 -------- d-----w- c:\users\steven and matt\AppData\Roaming\AVG8
2009-09-10 21:24 . 2009-09-10 21:24 -------- d-----w- c:\programdata\ATI
2009-09-10 21:21 . 2009-09-10 21:21 -------- d-----w- c:\program files\Common Files\ATI Technologies
2009-09-10 21:21 . 2009-04-03 14:21 95232 ----a-w- c:\windows\system32\drivers\AtiHdmi.sys
2009-09-10 21:18 . 2009-04-29 02:08 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2009-09-10 20:48 . 2009-09-10 20:48 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-10 20:41 . 2009-05-18 13:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-09-10 20:41 . 2008-04-17 12:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-09-10 20:40 . 2009-09-10 20:41 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-10 20:37 . 2009-09-10 20:38 -------- d-----w- c:\program files\QuickTime
2009-09-10 16:39 . 2009-06-10 11:41 2868224 ----a-w- c:\windows\system32\mf.dll
2009-09-10 16:38 . 2009-08-14 16:27 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-09-10 16:38 . 2009-08-14 13:48 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-09-10 16:38 . 2009-08-14 15:53 17920 ----a-w- c:\windows\system32\netevent.dll
2009-09-10 16:38 . 2009-08-14 13:49 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-09-10 16:38 . 2009-08-14 13:49 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-09-10 16:38 . 2009-08-14 13:49 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-09-10 16:38 . 2009-08-14 13:49 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-09-10 16:38 . 2009-08-14 13:49 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-09-10 16:38 . 2009-08-14 13:49 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-09-10 16:38 . 2009-08-14 13:49 10240 ----a-w- c:\windows\system32\finger.exe
2009-09-10 16:38 . 2009-08-14 13:48 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-09-10 16:37 . 2009-07-11 19:01 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-09-10 16:37 . 2009-07-11 19:01 513536 ----a-w- c:\windows\system32\wlansvc.dll
2009-09-10 16:37 . 2009-07-11 19:01 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-09-10 16:37 . 2009-07-11 19:01 65024 ----a-w- c:\windows\system32\wlanapi.dll
2009-09-10 16:37 . 2009-07-11 17:03 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2009-09-10 16:16 . 2009-09-10 16:24 185049 ----a-w- C:\MGlogs.zip
2009-09-10 16:16 . 2009-09-10 16:24 -------- d-----w- C:\MGtools
2009-09-10 16:16 . 2009-09-10 13:13 1344398 ----a-w- C:\MGtools.exe
2009-09-10 15:54 . 2009-09-10 15:54 0 ----a-w- C:\settings.dat
2009-09-10 12:17 . 2009-09-10 12:17 -------- d-----w- c:\program files\CCleaner
2009-09-07 21:18 . 2009-09-07 21:18 -------- d-----w- c:\program files\Trend Micro
2009-09-07 18:14 . 2009-09-07 21:09 -------- d-----w- c:\users\steven and matt\AppData\Local\temp(26)
2009-09-07 18:14 . 2009-09-07 18:14 -------- d-----w- c:\users\Phil\AppData\Local\Temp(11)
2009-09-07 17:22 . 2009-09-07 17:22 -------- d-----w- c:\users\Phil\AppData\Local\Apple Computer
2009-09-07 17:22 . 2009-09-07 17:22 -------- d-----w- c:\users\Phil\AppData\Roaming\Roxio
2009-09-07 16:09 . 2009-09-07 16:09 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-09-07 16:09 . 2009-09-10 13:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-07 16:09 . 2009-09-07 16:09 -------- d-----w- c:\users\steven and matt\AppData\Roaming\SUPERAntiSpyware.com
2009-09-07 16:08 . 2009-09-10 13:20 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-07 14:26 . 2009-09-07 14:26 -------- d-----w- c:\users\steven and matt\AppData\Roaming\Malwarebytes
2009-09-07 14:26 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-07 14:26 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-07 14:26 . 2009-09-10 15:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-07 14:26 . 2009-09-07 14:26 -------- d-----w- c:\programdata\Malwarebytes
2009-09-03 10:42 . 2009-09-03 10:42 -------- d-----w- c:\program files\ATI
2009-09-03 10:40 . 2009-09-03 10:40 -------- d-----w- C:\ATI
2009-09-03 10:04 . 2009-06-22 10:09 2048 ----a-w- c:\windows\system32\tzres.dll
2009-09-03 09:56 . 2009-08-29 00:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-09-03 09:56 . 2009-08-29 00:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-03 09:24 . 2009-09-04 16:44 680 ----a-w- c:\users\steven and matt\AppData\Local\d3d9caps.dat
2009-08-31 10:52 . 2009-08-31 10:52 -------- d-----w- c:\program files\NortonInstaller
2009-08-20 20:44 . 2009-06-15 14:53 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-08-20 20:44 . 2009-06-15 14:52 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-08-20 20:44 . 2009-06-15 14:54 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-08-20 20:44 . 2009-06-15 14:53 270848 ----a-w- c:\windows\system32\schannel.dll
2009-08-20 20:44 . 2009-06-15 14:52 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2009-08-20 20:44 . 2009-06-15 23:15 439864 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-08-20 20:44 . 2009-06-15 14:53 72704 ----a-w- c:\windows\system32\secur32.dll
2009-08-20 20:44 . 2009-06-15 12:48 9728 ----a-w- c:\windows\system32\lsass.exe
2009-08-17 09:29 . 2009-06-10 11:42 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-17 09:29 . 2009-07-17 13:54 71680 ----a-w- c:\windows\system32\atl.dll
2009-08-17 09:29 . 2009-06-04 12:07 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-08-17 09:29 . 2009-06-10 11:38 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-08-17 09:29 . 2009-07-15 12:39 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-08-17 09:29 . 2009-07-15 12:39 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-08-17 09:29 . 2009-07-15 12:39 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-08-17 09:28 . 2009-07-15 12:40 8147456 ----a-w- c:\windows\system32\wmploc.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-13 12:25 . 2008-03-21 16:54 -------- d-----w- c:\programdata\Kontiki
2009-09-11 09:41 . 2007-07-02 21:13 -------- d-----w- c:\program files\Common Files\Apple
2009-09-11 09:12 . 2007-07-02 21:13 -------- d-----w- c:\programdata\Apple Computer
2009-09-10 21:24 . 2007-03-14 08:07 -------- d-----w- c:\program files\ATI Technologies
2009-09-10 21:00 . 2007-07-02 21:16 -------- d-----w- c:\users\steven and matt\AppData\Roaming\Apple Computer
2009-09-10 20:46 . 2008-03-21 09:36 -------- d-----w- c:\program files\Safari
2009-09-10 16:42 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-10 16:31 . 2007-12-22 09:11 -------- d-----w- c:\users\steven and matt\AppData\Roaming\Packard Bell
2009-09-10 12:04 . 2009-05-04 07:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-10 12:04 . 2007-12-01 11:08 -------- d-----w- c:\program files\Java
2009-09-07 21:11 . 2008-07-05 10:37 -------- d-----w- c:\programdata\Yahoo! Companion
2009-09-07 17:22 . 2007-07-02 19:33 83384 ----a-w- c:\users\Phil\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-07 16:01 . 2007-03-14 08:13 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-07 16:00 . 2007-03-14 08:13 -------- d-----w- c:\programdata\Symantec
2009-09-07 15:42 . 2007-07-02 19:52 -------- d-----w- c:\program files\MSN Messenger
2009-08-20 09:40 . 2007-07-02 19:44 37272 ----a-w- c:\users\steven and matt\AppData\Roaming\wklnhst.dat
2009-08-13 10:14 . 2009-08-13 10:14 472064 ----a-w- C:\RootRepeal.exe
2009-07-21 21:52 . 2009-07-29 09:50 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-29 09:50 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-29 09:50 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-29 09:50 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-15 14:00 . 2009-07-15 14:00 -------- d-----w- c:\programdata\NortonInstaller
2009-06-15 14:53 . 2009-07-15 09:42 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 14:52 . 2009-07-15 09:42 23552 ----a-w- c:\windows\system32\lpk.dll
2009-06-15 14:52 . 2009-07-15 09:42 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 14:51 . 2009-07-15 09:42 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:42 . 2009-07-15 09:42 289792 ----a-w- c:\windows\system32\atmfd.dll
2007-03-14 15:54 . 2007-03-14 15:54 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-09-12_16.03.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-14 08:06 . 2009-09-13 12:13 68334 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-09-13 12:13 77456 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-07-02 20:08 . 2009-09-13 12:13 21134 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4215399350-4177395727-2489711560-1003_UserData.bin
+ 2007-07-02 19:24 . 2009-09-13 12:10 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-07-02 19:24 . 2009-09-12 11:30 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-07-02 19:24 . 2009-09-12 11:30 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2007-07-02 19:24 . 2009-09-13 12:10 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2007-07-04 15:52 . 2009-09-12 16:09 4626 c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2009-09-12 11:30 . 2009-09-12 11:30 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-09-13 12:10 . 2009-09-13 12:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-09-12 11:30 . 2009-09-12 11:30 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-09-13 12:10 . 2009-09-13 12:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-05-04 08:24 . 2009-09-13 12:10 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-05-04 08:24 . 2009-09-12 11:30 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2007-07-02 19:24 . 2009-09-13 12:10 180224 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-07-02 19:24 . 2009-09-12 11:30 180224 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-30 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-04 1994480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"HostManager"="c:\program files\Common Files\AOL\1173859703\ee\AOLSoftware.exe" [2006-11-14 50736]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-20 228088]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-10 29744]
"toolbar_eula_launcher"="c:\program files\Packard Bell\GOOGLE_EULA\EULALauncher.exe" [2007-01-10 18944]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-01-12 275800]
"VX3000"="c:\windows\vVX3000.exe" [2006-12-05 707360]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-10 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-04-28 61440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-08 305440]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2006-11-09 3784704]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-6 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):56,87,81,f3,15,e5,c9,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{5B25D64F-86BA-468A-B4C7-12703E460870}"= UDP:c:\program files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialler
"{4C7EA2EC-7BB4-48BB-AA21-A905C1F8BF5D}"= TCP:c:\program files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialler
"{1BD9E661-E34D-4E56-B1E1-8D0224ADD313}"= UDP:c:\program files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Services
"{4EFA2407-3542-4AAF-9D5E-3F03DC4E7136}"= TCP:c:\program files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Services
"{3593322F-B3A8-4DE2-9442-65C8171F082D}"= UDP:c:\program files\AOL 9.0 VR\waol.exe:AOL
"{1F26554A-C240-4C3C-A364-EE0408AE3F08}"= TCP:c:\program files\AOL 9.0 VR\waol.exe:AOL
"{6EFF20A2-845D-4B7B-9898-77D8CAE976E5}"= UDP:c:\program files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{BB18C836-D797-4544-8397-4C30339028AF}"= TCP:c:\program files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{B644713B-A6BC-4EF3-949C-0ADF69A4E6C5}"= UDP:c:\program files\Common Files\aol\Loader\aolload.exe:AOL Loader
"{6535B5B5-D364-45D2-845A-634E36690C80}"= TCP:c:\program files\Common Files\aol\Loader\aolload.exe:AOL Loader
"{7449E4DC-6F99-46F7-8D21-CCD586FA1C6D}"= UDP:c:\program files\Common Files\aol\System Information\sinf.exe:AOL System Information
"{7355D5F9-BE17-4508-9F39-8A61EB72DC04}"= TCP:c:\program files\Common Files\aol\System Information\sinf.exe:AOL System Information
"{ADFC196C-C492-485C-AADC-F0E23EC6C447}"= UDP:c:\program files\Skype\Phone\Skype.exe:Skype
"{86106E12-B160-4F77-9E19-BFA0EBC87328}"= TCP:c:\program files\Skype\Phone\Skype.exe:Skype
"{08F9B80F-B35A-442E-BB9A-3DCEBD8DAE72}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{C3C20D16-9010-437F-B842-42A91F1ADA90}"= UDP:c:\program files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{C329615A-E9A3-40AE-B938-3678B8F067BB}"= TCP:c:\program files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{51F892CC-CC4C-4F58-8269-FECCAEA1DD4E}"= UDP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{EE376C0C-9108-4211-9D49-3821A527110D}"= TCP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{3FDF57ED-3131-45B8-AE1F-BF1BD2F9647F}"= UDP:c:\program files\Common Files\aol\1173859703\ee\aolsoftware.exe:AOL Services
"{14A7C763-BCF3-4BEC-A9CF-AF27FD3F8D46}"= TCP:c:\program files\Common Files\aol\1173859703\ee\aolsoftware.exe:AOL Services
"{21FF370D-CBC3-4E33-9126-89EEF99DED86}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{DA5A857B-F3BE-41E7-943B-E559C351E3BB}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{946C4049-953E-4763-91B9-D7D5A4B602BC}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{4932FBD8-F615-4908-8D45-EC7058892CCD}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{0F95F9EF-C636-4D2C-99A0-3CB2EF6416ED}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{9DDA1371-C049-4504-83D2-C240C505B9AC}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{1520C8D1-4A46-480B-8B3C-193EAEF16C53}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{AF85B9DD-743E-430B-B44B-B2A7D74704AB}c:\\program files\\java\\jre6\\bin\\java.exe"= UDP:c:\program files\java\jre6\bin\java.exe:Java(TM) Platform SE binary
"UDP Query User{E4382513-FB82-4CA6-AEC1-5F6DBDADA500}c:\\program files\\java\\jre6\\bin\\java.exe"= TCP:c:\program files\java\jre6\bin\java.exe:Java(TM) Platform SE binary

R0 AFS;AFS;c:\windows\System32\drivers\AFS.SYS [02/07/2007 21:02 77004]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [04/09/2009 14:50 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [04/09/2009 14:49 74480]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\System32\atiesrxx.exe [29/04/2009 03:07 176128]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [29/09/2008 16:27 210216]
R3 3xHybrid;ASUSTek SAA713x PCI Card;c:\windows\System32\drivers\3xHybrid.sys [14/03/2007 16:54 816512]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\System32\drivers\AtiHdmi.sys [10/09/2009 22:21 95232]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [04/09/2009 14:50 7408]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [14/03/2007 09:13 29744]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2007-07-26 c:\windows\Tasks\HDReg.job
- c:\program files\HDReg\HDRegRem.exe [2003-07-15 09:14]

2007-07-03 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-02-24 10:53]

2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-02-24 10:53]

2007-07-09 c:\windows\Tasks\PBReg.job
- c:\program files\HDReg\HDRegApp.exe [2005-06-21 13:05]

2007-08-16 c:\windows\Tasks\PBRegbk.job
- c:\program files\HDReg\HDRegApp.exe [2005-06-21 13:05]

2009-09-12 c:\windows\Tasks\Recovery DVD Creator.job
- c:\program files\Packard Bell\SetupMyPc\MCDCheck.exe [2007-03-14 16:34]

2009-09-13 c:\windows\Tasks\User_Feed_Synchronization-{4F878003-80D5-439B-9573-560D537B2563}.job
- c:\windows\system32\msfeedssync.exe [2009-07-29 20:13]

2009-09-13 c:\windows\Tasks\User_Feed_Synchronization-{759A0F8C-E8B4-45CC-95DB-248466E30E77}.job
- c:\windows\system32\msfeedssync.exe [2009-07-29 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
mStart Page = hxxp://uk.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
IE: &Search
TCP: {A01BC037-DC98-4470-A87D-54633D54BCA1} = 205.188.146.145
DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} - hxxp://www.digitalwebbooks.com/reader/dbplugin.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-13 13:25
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-09-13 13:27
ComboFix-quarantined-files.txt 2009-09-13 12:27
ComboFix2.txt 2009-09-12 16:20
ComboFix3.txt 2009-09-12 16:05
ComboFix4.txt 2009-09-10 15:37
ComboFix5.txt 2009-09-13 12:12

Pre-Run: 165,777,108,992 bytes free
Post-Run: 165,679,534,080 bytes free

431 --- E O F --- 2009-09-11 10:51


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, September 13, 2009
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, September 13, 2009 15:07:08
Records in database: 2801519
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Objects scanned: 143231
Threats found: 5
Infected objects found: 11
Suspicious objects found: 0
Scan duration: 01:59:05


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Program Files\FrostWire\nokia charger wire skepta.mp3.vir Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Users\steven and matt\AppData\Local\VirtualStore\Program Files\FrostWire\Bloc party - Tulips.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Users\steven and matt\AppData\Local\VirtualStore\Program Files\FrostWire\change in nature operahouse MTV.mp3 Infected: Trojan-Downloader.WMA.GetCodec.f 1
C:\Users\steven and matt\AppData\Local\VirtualStore\Program Files\FrostWire\coldtown natty.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Users\steven and matt\AppData\Local\VirtualStore\Program Files\FrostWire\Flobots-Happy Together.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Users\steven and matt\AppData\Local\VirtualStore\Program Files\FrostWire\high school musicla sexy girl has shaking orgasm during sex.mp3 Infected: Trojan-Downloader.WMA.Wimad.o 1
C:\Users\steven and matt\AppData\Local\VirtualStore\Program Files\FrostWire\nokia charger wire.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Users\steven and matt\AppData\Local\VirtualStore\Program Files\FrostWire\put donk on it black out crew.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Users\steven and matt\AppData\Local\VirtualStore\Program Files\FrostWire\silence in violence rifles.mp3 Infected: Trojan-Downloader.WMA.GetCodec.r 1
C:\Users\steven and matt\AppData\Local\VirtualStore\Program Files\FrostWire\sway ft stash-fuck your ex .mp3 Infected: Trojan-Downloader.WMA.GetCodec.n 1
C:\Users\steven and matt\AppData\Local\VirtualStore\Program Files\FrostWire\wiley- summertime .mp3 Infected: Trojan-Downloader.WMA.GetCodec.n 1

Selected area has been scanned.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:30:29, on 13/09/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\aol\1173859703\ee\aolsoftware.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\vVX3000.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Google\Google_BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1173859703\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [toolbar_eula_launcher] C:\Program Files\Packard Bell\GOOGLE_EULA\EULALauncher.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\Windows\vVX3000.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab
O16 - DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Fac ... oader3.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} (HPDDClientExec Class) - http://h20264.www2.hp.com/ediags/dd/ins ... sVista.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} - http://appdirectory.messenger.msn.com/A ... tPkMSN.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} - http://appdirectory.messenger.msn.com/A ... gWXMSN.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/f ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A01BC037-DC98-4470-A87D-54633D54BCA1}: NameServer = 205.188.146.145
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 9690 bytes
Pi&Chips
Regular Member
 
Posts: 276
Joined: December 1st, 2007, 7:30 am
Location: Garden of England
Top

Re: It calls itself AntiMalware, but I don't believe it...

Unread postby jmw3 » September 13th, 2009, 12:07 pm

Hello kmilne

Not looking too bad. Just a few things to clean up.

It looks as though that AntiMalware is still registered in the WMI. Possibly the reason you were getting the warning when running ComboFix. Let's see if we can de-register it.
Follow these instructions for de-registering AntiMalware:

**Note: Make sure you only delete AntiMalware products
  • Click Start > Run & copy/paste wbemtest into the Run box then click OK
  • Click Connect
  • Copy/paste root/securitycenter into the Namespace box then click Connect
  • Click Query
  • Copy/paste SELECT * FROM AntiSpywareProduct under Enter Query then click Apply
  • If there is more than one result, it means there is more than one AntiSpyware program registered
  • Double-click on each result to view the properties for that AntiSpyware product
  • Identify the product(s) registered by scrolling down to companyName then click Close
  • In the Query Result window, click Delete for any AntiSpyware software that is no longer installed
  • Click Close then Exit
OTM
Download OTM by OldTimer Here & save it to your desktop.
  • Double click on OTM.exe to run it
  • Copy & paste the contents of the Code box below into Paste Instructions for Items to be Moved
Note: Do not type it out to minimize the risk of typo error
Code: Select all
:Files
C:\Users\steven and matt\AppData\Local\VirtualStore\Program Files\FrostWire
:Commands
[Purity]
[EmptyTemp]
[Reboot]

  • Click on MoveIt!
  • When done, click on Exit
Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.
A log will be produced at C:\_OTM\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.

To post in next reply:
OTM log
New HijackThis log
Update on how the computer is running / problems
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Top

Re: It calls itself AntiMalware, but I don't believe it...

Unread postby Pi&Chips » September 13th, 2009, 3:38 pm

Hi again

No results at all showed up from the wbemtest query. But here are the OTM and HJT logs.

Computer appears to running well. Most significant change is that Windows Security Centre is no longer reporting the presence of AntiMalware.

Can't get McAfee working - it's reporting that Virus Protection isn't installed. I suspect the owner of this computer will have to get on to AOL to get his subscription refreshed.



All processes killed
========== FILES ==========
C:\Users\steven and matt\AppData\Local\VirtualStore\Program Files\FrostWire\mix_data moved successfully.
Folder move failed. C:\Users\steven and matt\AppData\Local\VirtualStore\Program Files\FrostWire scheduled to be moved on reboot.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User

User: Phil

User: Public
->Temp folder emptied: 0 bytes

User: steven and matt
->Temp folder emptied: 80818052 bytes
File delete failed. C:\Users\steven and matt\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 639457 bytes
->Java cache emptied: 266853 bytes
->Apple Safari cache emptied: 33814 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 4400 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 77.97 mb


OTM by OldTimer - Version 3.0.0.6 log created on 09132009_180326


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:22:45, on 13/09/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\aol\1173859703\ee\aolsoftware.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\vVX3000.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Google\Google_BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1173859703\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [toolbar_eula_launcher] C:\Program Files\Packard Bell\GOOGLE_EULA\EULALauncher.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\Windows\vVX3000.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab
O16 - DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Fac ... oader3.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} (HPDDClientExec Class) - http://h20264.www2.hp.com/ediags/dd/ins ... sVista.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} - http://appdirectory.messenger.msn.com/A ... tPkMSN.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} - http://appdirectory.messenger.msn.com/A ... gWXMSN.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/f ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A01BC037-DC98-4470-A87D-54633D54BCA1}: NameServer = 205.188.146.145
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 9648 bytes
Pi&Chips
Regular Member
 
Posts: 276
Joined: December 1st, 2007, 7:30 am
Location: Garden of England
Top

Re: It calls itself AntiMalware, but I don't believe it...

Unread postby Pi&Chips » September 13th, 2009, 5:03 pm

Further update: McAfee is up and running. Things are looking good.

Keith
Pi&Chips
Regular Member
 
Posts: 276
Joined: December 1st, 2007, 7:30 am
Location: Garden of England
Top

Re: It calls itself AntiMalware, but I don't believe it...

Unread postby jmw3 » September 13th, 2009, 7:27 pm

Hi
Most significant change is that Windows Security Centre is no longer reporting the presence of AntiMalware.
Good stuff.
Further update: McAfee is up and running. Things are looking good
Even better :)

Clean Up
Now we need to clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
Remove ComboFix
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run then copy/paste the following bolded text into the Run box and click OK:
ComboFix /u
  • Double-click OTM
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it yourself
You can delete the following from your desktop:
DDS.scr
The Gmer.exe file (it will be randomly named .exe file)
RootRepeal.exe & the RooTRepeal zip file
TFC.exe
Any logs that may have been saved to your desktop
You should also remove HijackThis. You can do this by going to C:\Program Files\Trend Micro\HijackThis
  • Double click HijackThis.exe
  • From the Main menu click Open the Misc Tools section
  • Using the scroll bar, scroll down to Uninstall HijackThis
  • Click Uninstall HijackThis & exit then click Yes at the prompt

All Clean
Congratulations, good work, your system is now clean. Now that your system is safe we would like you to keep it that way.
Take the time to follow these recommendations & it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

Create a Clean System Restore Point
Create a new, clean System Restore point which you can use in case of future system problems:
Press Start->All Programs->Accessories->System Tools->System Restore, then click on open System Protection
Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close
Now remove old, infected System Restore points:
Next click Start->Run and type cleanmgr in the box and click OK
Ensure the boxes for Temporary Files & Temporary Internet Files are checked. You can choose to check other boxes if you wish but they are not required.
Select the More Options tab, under System Restore click Clean up... and click Yes to the prompt
Click OK and Yes to confirm.

Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to Start > All Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates

Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is totally free but for real-time protection you will have to pay a small one-time fee.
You can find a tutorial here. Keep it updated & run it regularly.

SpywareBlaster
Download and install Javacools SpywareBlaster from here
SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.

Download and Install a HOSTS File
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.

Download BlueTack's HOSTS Manager here, using Internet Explorer (Firefox won't work):
  • A short distance down the page in the centre, click on the Download button
  • Agree to the license
  • On the next page, to the right side of where it says Download Estimates, right click on the underlined word Hosts Manager choose Save Target As and download the installer Hosts20setup.exe to your desktop
  • Double click the Installer on your desktop and let it Install the Hosts Manager
  • After the installation is complete, click on the Hosts Manager icon on your desktop. (You can delete the other Hosts Switch icon from your desktop)
  • When the Hosts Manager comes up, click the small down arrows on the right side of the bar labeled Options and Tools,
  • Click Disable DNS Service. This is important
  • In the Left Pane, click Download
  • It will load 80,000 lines or more. When it finishes, also in the left pane, click Replace, and then click Save
You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.
If you have a separate party firewall or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.

Web of Trust
WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
WOT has an addon available for both Firefox and Internet Explorer.

Install WinPatrol
Download it here
You can find information about how WinPatrol works here

Read some information here on how to prevent Malware.

Hopefully these steps will help keep your computer clean.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

If there are any other questions then feel free to ask or in future do not hesitate to contact us here at The Malware Removal Forums
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Top

Re: It calls itself AntiMalware, but I don't believe it...

Unread postby Pi&Chips » September 14th, 2009, 5:08 am

Great work, jmw3. Everything running beautifully. Thanks for all your help.
Pi&Chips
Regular Member
 
Posts: 276
Joined: December 1st, 2007, 7:30 am
Location: Garden of England
Top

Re: It calls itself AntiMalware, but I don't believe it...

Unread postby jmw3 » September 14th, 2009, 9:09 am

No problem at kmilne... Glad I could help :)

I'm contemplating doing the MWR University training to make sure I get no free time at all...
I hope you do take it up. You obviously have genuine disposition to help people. Not denying it is time consuming & needs quite a bit of commitment, but I think you would find it very rewarding.... so Go For It :thumbup:

Good Luck & Surf Safe
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Top

Re: It calls itself AntiMalware, but I don't believe it...

Unread postby Gary R » September 15th, 2009, 12:07 pm

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Top
Advertisement
Register to Remove
Previous
Topic locked

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 405 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index